MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6
SHA3-384 hash:	7f4fc7331026af7511eb4c972130d2c4298185743bdfa21ca9698401f4a7f26ec3181d4d2e67db74b999b0d6ade8045a
SHA1 hash:	7105ba81779f4e2353565819e8b0f8934132348d
MD5 hash:	f01d05137762dd36a5c548279246b113
humanhash:	network-rugby-helium-massachusetts
File name:	file
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	346'624 bytes
First seen:	2023-06-06 13:48:44 UTC
Last seen:	2023-06-06 14:34:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0af0c6e3fe2b48c822ae2dd664bde01d (2 x RedLineStealer, 1 x Smoke Loader)
ssdeep	6144:8FQxMJ/81O3JSaAdXNfSrU8EI+Pm+Qdl64GON4vLlUVN1M:8iCJ/81nj3qvgm+Q7zfN4Wt
Threatray	1 similar samples on MalwareBazaar
TLSH	T1A1747D1393E17D64E9254E3A8E2FC6EC771EF6518F497B652218AA2F04B01B3D2B3711
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	00080a110f063300 (1 x RedLineStealer)
Reporter	jstrosch
Tags:	exe RedLineStealer

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

307

Origin country :

US

Vendor Threat Intelligence

ANY.RUN smoke

Malware family:

smoke

Alert

Create hunting rule

ID:

1

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-06 13:23:37 UTC

Tags:

loader smoke trojan rat redline

Link:

https://app.any.run/tasks/abb6bba7-9d92-4fc5-ae04-ea8499099d3c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/396166/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.Ser.Zusy.4331.2144.6247.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/647f395b6724902aa9581d8a/reports/5f45d673-cec1-4ad9-96b7-d57df8f82981/overview

Hybrid Analysis Ser.Zusy.Generic

Verdict:

Malicious

Labled as:

Ser.Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious Packer

Malware family:

Malicious Packer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/617af208-bc19-4b61-ac8b-cefb9d31ce8e

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1249665

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6/

ReversingLabs TitaniumCloud Win32.Trojan.RedLineStealer

Threat name:

Win32.Trojan.RedLineStealer

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-06 13:49:13 UTC

File Type:

PE (Exe)

Extracted files:

55

AV detection:

17 of 24 (70.83%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gzqtgogfq35x3xzw27g2hqzwdaasoaymyfxvldra44s7qvbpahta._file

Threatray malicious

Verdict:

malicious

Similar samples:

00fc3bba8814fea6dd4c9b78ae51876f5e6a213ca7919451253008330160aba2

RedLineStealer

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline botnet:@germany discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230606-q4n9asee5t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

185.81.68.115:2920

UnpacMe redline

Unpacked files

SH256 hash:

a70f9478f132216be729645ec5d7ba93e8fd09fa75452d631749f5ebb8112a39

MD5 hash:

2ecc13ff8073fbb0c6877a70193694d0

SHA1 hash:

ea63864cc007e1f0212e5f9127ccbaff5c02cbad

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/0552a61e-a223-4691-ae94-0f3b7f96af64/

Parent samples :

36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6
62a2221333631de6cf65db3fa3e2650947b23f24ea172a3ea998d77baa0cb270
ebb2ba69aefa29443238a76949a991384b01e4bb8291cfc5531e233d448cb280
1a6ebcbdbec2e51caa6b76b39a8608fde9ae766e8f937ac128a638763c4ad223
3ef6e2d77b69452be6d8101b1bc029570af3af86495111bbca696c92345547a9
e149546242d925d24473153a5e6bafbb3e9a4cb36ba86865dfa465d40617be22
a9140d39d5c4aa1ffe539c431fc95da154a2debbd180e5bdd33978b8a56a4701
60ba317c673641c96c24921d5908169b1eb27ae2aff2e0cb1d5aac43d8e3aa47
21fda73dd761f3a421f9cfbfa0944ac3226ef3e36905de421dd69060fe1a4b7a
8e933b2d90245af4ffffdbc914dcdab6e9167e48ed41715e614546d2b37279f1
3411be33cd514a23e0a799f888ecafdee90ebc724077e078babd340c02b3e444
5a92fbe395867e25c5fe4ae2f61946a3c3a9f141a14e41584939f7715b82ed26
63054e85bcad2319e692c774c253bb74c8b39531f6bc64664e7cd4cd7614b6b0
9e7036fd7a127e55e19ba8e7c277880f1ea2aecd5810620d5d2c37fcf547269c
e4d026295f494f4451cdca57fbeb0bf815b0db6f5b559354128676aac0f5daa3
6e1f1acde46206aeec80aff2847e28c13ba4a968cfc1f2f796039ee2abdd4427
cc8fa35d6827a4227d73c39d758ccec4a55dde4688abe6cad0062e92e133a9da
07109ec0f36d15537a80c566875fcbb482f1057104ed0669bc77489b1b2e3bb7
f19aac41c3f432af709d0597c34fe4c25348043ac622e97d89ded00fdf663a5f
1688dc9d9147e95bacc1b2a5ba0b3f48aafa697e7afa9795d94eddd842184fa7
1a2abfd9f3c9996f30c87609640c70e1cff2e76b15b3deede180ab33a1fb6629
b2ed125f1073843402dca506e06379e0991910cc46c7ca64da83ca45af6609d5
441bb4d4e051b2c79398a8cd8aa996a8694c6ddc8ac8b1442c69c469f4cb74b5
ccb6aef1741c370192d1af595e57ae1ae67c28101b934f1fc7303a5bb778d51c
a2f2bd6394b4d85f2d810724480df9f5d893aa298418a262b859074c4820b84c
f107eeb431a43d7f1f26e3729a58420d2556ec9745e48da5840e3c1218b7aadb
4c313f3f72094ea68a3e98db6778ce4ce9f38d3ba22e3b4b752a7a95679b1b70
1107924f1ace30ed819e1c694e406da31f31ff9250e750011450050e1147eae8
90012dedd673232e449e337e4d900a2754f3eb21103c62e799ca350eeebd37f5
65befbbadf131fadbdc58f2760b7135a280632d7efd214433e5b9881cd4e54d0

SH256 hash:

3224fc3a642ab6306202c6a95054ed5c5fa4d1eca798b5c3cefcbc0c7d7bee41

MD5 hash:

90292da3cbe7a4baa13f1006f4187722

SHA1 hash:

b3ebac2b1bcb7e65c167eb45de9b0725b8b5798d

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/0552a61e-a223-4691-ae94-0f3b7f96af64/

Parent samples :

36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6
62a2221333631de6cf65db3fa3e2650947b23f24ea172a3ea998d77baa0cb270
ebb2ba69aefa29443238a76949a991384b01e4bb8291cfc5531e233d448cb280
1a6ebcbdbec2e51caa6b76b39a8608fde9ae766e8f937ac128a638763c4ad223
3ef6e2d77b69452be6d8101b1bc029570af3af86495111bbca696c92345547a9
e149546242d925d24473153a5e6bafbb3e9a4cb36ba86865dfa465d40617be22
a9140d39d5c4aa1ffe539c431fc95da154a2debbd180e5bdd33978b8a56a4701
60ba317c673641c96c24921d5908169b1eb27ae2aff2e0cb1d5aac43d8e3aa47
21fda73dd761f3a421f9cfbfa0944ac3226ef3e36905de421dd69060fe1a4b7a
8e933b2d90245af4ffffdbc914dcdab6e9167e48ed41715e614546d2b37279f1
3411be33cd514a23e0a799f888ecafdee90ebc724077e078babd340c02b3e444
5a92fbe395867e25c5fe4ae2f61946a3c3a9f141a14e41584939f7715b82ed26
63054e85bcad2319e692c774c253bb74c8b39531f6bc64664e7cd4cd7614b6b0
9e7036fd7a127e55e19ba8e7c277880f1ea2aecd5810620d5d2c37fcf547269c
e4d026295f494f4451cdca57fbeb0bf815b0db6f5b559354128676aac0f5daa3
6e1f1acde46206aeec80aff2847e28c13ba4a968cfc1f2f796039ee2abdd4427
cc8fa35d6827a4227d73c39d758ccec4a55dde4688abe6cad0062e92e133a9da
07109ec0f36d15537a80c566875fcbb482f1057104ed0669bc77489b1b2e3bb7
f19aac41c3f432af709d0597c34fe4c25348043ac622e97d89ded00fdf663a5f
1688dc9d9147e95bacc1b2a5ba0b3f48aafa697e7afa9795d94eddd842184fa7
1a2abfd9f3c9996f30c87609640c70e1cff2e76b15b3deede180ab33a1fb6629
b2ed125f1073843402dca506e06379e0991910cc46c7ca64da83ca45af6609d5
441bb4d4e051b2c79398a8cd8aa996a8694c6ddc8ac8b1442c69c469f4cb74b5
ccb6aef1741c370192d1af595e57ae1ae67c28101b934f1fc7303a5bb778d51c
a2f2bd6394b4d85f2d810724480df9f5d893aa298418a262b859074c4820b84c
f107eeb431a43d7f1f26e3729a58420d2556ec9745e48da5840e3c1218b7aadb
4c313f3f72094ea68a3e98db6778ce4ce9f38d3ba22e3b4b752a7a95679b1b70
1107924f1ace30ed819e1c694e406da31f31ff9250e750011450050e1147eae8
90012dedd673232e449e337e4d900a2754f3eb21103c62e799ca350eeebd37f5
65befbbadf131fadbdc58f2760b7135a280632d7efd214433e5b9881cd4e54d0

SH256 hash:

71413391003853f795298f817d5838f38dc538852abf0f7d2601cb20adebc7f4

MD5 hash:

2c6de7a063443e62182b35d5e5f7958a

SHA1 hash:

a0d99c6c3c97fe3fad283d88fc78463e2539ec70

Link:

https://www.unpac.me/results/0552a61e-a223-4691-ae94-0f3b7f96af64/

SH256 hash:

36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6

MD5 hash:

f01d05137762dd36a5c548279246b113

SHA1 hash:

7105ba81779f4e2353565819e8b0f8934132348d

Link:

https://www.unpac.me/results/0552a61e-a223-4691-ae94-0f3b7f96af64/

VMRay RedNet

Malware family:

RedNet

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36613338c586/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 36613338c586fb7ddf36d7cda3c336180127030cc16f558e20e725f8542f01e6

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/396166/

  

URLhaus

https://urlhaus.abuse.ch/url/2649818/